Security at AddToCRM
We protect the CRM credentials and contact data of sales teams worldwide. Security is built into every layer of our platform.
AES-256-GCM
Authenticated encryption
GDPR Compliant
EU, UK & CCPA
MV3 Extension
Modern Chrome security
TLS Everywhere
HSTS with preload
Encryption & Data Protection
Your most sensitive data is protected with industry-standard encryption at every stage.
CRM Credentials
All CRM API keys and OAuth tokens are encrypted with AES-256-GCM authenticated encryption before storage. Credentials are never stored in plaintext. GCM mode provides both confidentiality and integrity verification.
Data in Transit
All connections use TLS 1.2+ with auto-provisioned certificates. We enforce HSTS with preload to prevent protocol downgrade attacks. All API and web traffic requires HTTPS.
Passwords
User passwords are hashed with bcrypt. We enforce minimum password complexity requirements and never store or log plaintext passwords.
Payment Data
All payment processing is handled by Stripe (PCI DSS Level 1 certified). We never see, store, or process credit card numbers. Webhook signatures are cryptographically verified.
Authentication & Access Control
Multiple layers of protection guard access to your account and data.
Account Security
- Secure session cookies with HttpOnly, Secure, and SameSite attributes prevent cross-site attacks.
- Google OAuth 2.0 support for passwordless authentication.
- Brute force protection with per-IP rate limiting on login and signup endpoints.
- User enumeration prevention returns consistent responses regardless of account existence.
Fraud Prevention
- Device fingerprint detection limits account creation per device, preventing abuse.
- Disposable email blocking prevents signups with temporary email addresses.
- Organization-level data isolation ensures teams only access their own data.
- Comprehensive audit logging across all CRM operations for complete traceability.
Application Security
Built with defence-in-depth principles across every layer of the stack.
SQL Injection Prevention
All database queries use parameterised prepared statements. No user input is ever concatenated into SQL.
Content Security Policy
A strict CSP is enforced across all routes, blocking inline scripts and restricting resource loading to trusted domains.
Chrome Extension (MV3)
Built on Manifest V3 with the minimum required permissions. UI is fully isolated from host pages.
Error Handling
Generic error messages are returned to clients. Stack traces and internal details are never exposed to end users.
Security Headers
HSTS preload, X-Frame-Options DENY, X-Content-Type-Options nosniff, strict Referrer-Policy, and Permissions-Policy enforced.
Sensitive Data Handling
Passwords and CRM credentials are stripped from all API responses before transmission. Sensitive values are never logged.
Privacy & Compliance
We comply with major data protection regulations worldwide.
Regulatory Compliance
- GDPR (EU General Data Protection Regulation)
- UK GDPR
- CCPA / CPRA (California)
- PIPEDA (Canada)
Data Practices
- We never sell personal data
- Full account deletion on request
- Enrichment data cached for 30 days only
- Privacy-friendly analytics (cookieless and EU-hosted)
Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account + 6 months |
| Enrichment cache | 30 days |
| Operation logs | 12 months |
| Inactive CRM credentials | Auto-deleted after 90 days of inactivity |
Sub-Processors
We use a limited number of trusted third-party services to provide our platform.
| Service | Purpose | Data Processed | Location |
|---|---|---|---|
| DigitalOcean | Infrastructure hosting | All application data | US |
| Stripe | Payment processing | Billing data | US (PCI DSS) |
| Apollo.io | Contact enrichment | Professional contact data | US |
| SalesQL | Contact enrichment | Professional contact data | EU |
| Prospeo | Contact enrichment | Professional contact data | EU |
| Bouncer | Email verification | Email addresses | EU |
| Authentication (OAuth) | Email, name | US | |
| PostHog | Product analytics | Usage events (no PII) | EU |
| Fathom | Website analytics | None (cookieless) | EU |
| MailerSend | Transactional email | Name, email | EU |
| MailerLite | Email marketing | Name, email | EU |
Infrastructure & Business Continuity
Reliable infrastructure with automated recovery and zero-downtime deployments.
Hosting & Availability
- Automated server backups with redundant storage for disaster recovery.
- Atomic deployments with timestamped builds and instant rollback capability.
- Zero-downtime deployments with automatic restart on failure.
- Health check monitoring on critical endpoints for availability verification.
International Data Transfers
Our primary infrastructure is hosted in the United States. For transfers of personal data from the EU/EEA to the US, we rely on the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) as additional safeguards.
Sellframe Ltd. is registered in Scotland, UK. We comply with both EU GDPR and UK GDPR requirements for international data transfers.
Working With Your InfoSec Team
We are transparent about our security posture and happy to work with your team.
Security Questionnaires
We respond to SIG Lite, CAIQ, and custom security questionnaires. We implement the technical controls required by SOC 2 and ISO 27001 frameworks.
Data Processing Agreements
We are happy to review and sign your DPA to formalise our data handling obligations and meet your compliance requirements.
Vulnerability Reporting
We welcome responsible disclosure. If you discover a security issue, please reach out to us directly and we will respond promptly.
Documentation
Security Contact
For security inquiries, vulnerability reports, or to request a security questionnaire response:
phil@addtocrm.com →Last updated: 24th February 2026